Multi-domain authorization and authentication

US 7,444,666 B2
Filed: 07/25/2002
Issued: 10/28/2008
Est. Priority Date: 07/27/2001
Status: Active Grant

First Claim

Patent Images

1. A method of multi-domain authorisation/authentication on a computer network comprises:

a user making a request to a policy enforcement point (PEP) of a computer for access to a service on the computer of a first domain which requires authorisation for access from a second domain;

providing a location address for a meta policy decision point (MPDP) maintaining the user'"'"'s authorisation and/or authentication information provided from different issuing authorities, at which address authorisation and/or authentication information and/or further personal information of the user has been pre-stored at a remote location;

a policy decision point (PDP) of the service on the computer network then verifying the authorisation/authentication information received from the MPDP or seeking authorisation/authentication from an address received from the MPDP, the address provided in the pre-stored authorisation/authentication/further personal information; and

the user being given access by the PEP to the information or the service requested, if the request is accepted, wherein the MPDP is hosted by a party independent from the user.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of multi-domain authorization/authentication on a computer network comprises: a user making a request to a policy enforcement point of a computer for access to information on the computer; providing a location address for a user'"'"'s authorization and/or authentication information, a policy decision point of the service on the computer network then verifying the authorization/authentication information; and the user being given access by the PEP to the information or the service requested, if the request is accepted, wherein the user'"'"'s authorization/authentication and/or further information is located on a meta policy decision point (MPDP).

Citations

25 Claims

1. A method of multi-domain authorisation/authentication on a computer network comprises:
- a user making a request to a policy enforcement point (PEP) of a computer for access to a service on the computer of a first domain which requires authorisation for access from a second domain;
  
  providing a location address for a meta policy decision point (MPDP) maintaining the user'"'"'s authorisation and/or authentication information provided from different issuing authorities, at which address authorisation and/or authentication information and/or further personal information of the user has been pre-stored at a remote location;
  
  a policy decision point (PDP) of the service on the computer network then verifying the authorisation/authentication information received from the MPDP or seeking authorisation/authentication from an address received from the MPDP, the address provided in the pre-stored authorisation/authentication/further personal information; and
  
  the user being given access by the PEP to the information or the service requested, if the request is accepted, wherein the MPDP is hosted by a party independent from the user.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 20, 21, 24)
- - 5. A method of multi-domain authorisation/authentication as claimed in claim 1, in which the location address for the use'"'"'s authorisation/authentication information and/or further information is the address of the MPDP.
  - 6. A method of multi-domain authorisation/authentication as claimed in claim 5, in which the location address is a sub-address of the MPDP that is unique to the user.
  - 7. A method of multi-domain authorisation/authentication as claimed in claim 1, in which the MPDP holds personal bank details and/or credit/charge card details of the user.
  - 8. A method of multi-domain authorisation/authentication as claimed in claim 1, in which the MPDP holds address details for a computer of a user'"'"'s bank, or medical information/other personal information of the user.
  - 9. A method of multi-domain authorisation/authentication as claimed in claim 1, in which the MPDP holds information concerning the location of another computer that can provide authorisation/authentication information or confirmation of authorisation/authentication information.
  - 10. A method of multi-domain authorisation/authentication as claimed in claim 1, in which the MPDP holds information concerning to which parties the user is willing to provide authorisation/authentication information.
  - 11. A method of multi-domain authorisation/authentication as claimed in claim 10, in which the MPDP is programmable by the user to specify said parties.
  - 12. A method of multi-domain authorisation/authentication as claimed in claim 1, in which the MPDP stores information as to which third parties have accessed information concerning the user from the MPDP.
  - 13. A method of multi-domain authorisation/authentication as claimed in claim 1, which includes the MPDP being a certification authority (CA) which issues digital certificates to servers to confer membership of a market place to those servers.
  - 14. A method of multi-domain authorisation/authentication as claimed in claim 1, in which the method includes the MPDP issuing credential revocation and revalidation of a user.
  - 15. A method of multi-domain authorisation/authentication as claimed in claim 1, in which the MPDP receives information for credential revocation from a service provider and uses that information to modify a user'"'"'s authorisation/authentication information on the MPDP.
  - 16. A computer programmed to perform the method of claim 1.
  - 17. A computer as claimed in claim 16, which is programmed to perform the function or the MPDP described in relation to claim 1.
  - 20. A recordable medium bearing a computer program operable to perform the method of claim 1.
  - 21. A recordable medium bearing a computer program operable to perform the functions of the MPDP described in relation to claim 1.
  - 24. A user interface for a computer is operable to allow a user to update his authorisation/authentication/other information stored on an MPDP as described in relation to claim 1.

2. A method of multi-domain authorisation/authentication on a computer network comprises:
- a user making a request to a policy enforcement point (PEP) of a computer of a first domain for access to a service on the computer which requires authorisation for access from a second domain;
  
  providing a location address for a meta policy decision point (MPDP) maintaining the user'"'"'s authorisation and/or authentication information provided from different issuing authorities, at which address authorisation and/or authentication information and/or further personal information of the user has been pre-stored at a remote location;
  
  a policy decision point (PDP) of the service on the computer network then verifying the authorisation/authentication information received from the MPDP or seeking authorisation/authentication from an address received from the MPDP, the address provided in the pre-stored authorisation/authentication/further personal information; and
  
  the user being given access by the PEP to the information or the service requested, if the request is accepted, wherein a plurality of MPDPs are provided and are operable to communicate with one another.
- View Dependent Claims (3, 18, 22)
- - 3. A method as claimed in claim 2, wherein the plurality of MPDPs are controlled by a number of independent entities.
  - 18. A computer programmed to perform the method of claim 2.
  - 22. A recordable medium bearing a computer program operable to perform the method of claim 2.

4. A method of multi-domain authorisation/authentication on a computer network comprises:
- a user making a request to a policy enforcement point (PEP) of a computer of a first domain for access to information or a service on the computer which requires authorisation for access from a second domain;
  
  providing a location address for a meta policy decision point (MPDP) maintaining the use'"'"'s authorisation and/or authentication information provided from different issuing authorities, at which address authorisation and/or authentication information and/or further personal information of the user has been pre-stored at a remote location;
  
  a policy decision point (PDP) of the service on the computer network then verifying the authorisation/authentication information received from the MPDP or seeking authorisation/authentication from an address received from the MPDP, the address provided in the pre-stored authorisation/authentication/further personal information; and
  
  the user being given access by the PEP to the information or the service requested, if the request is accepted, in which the information held on the MPDP is amendable by the user, to update the information.
- View Dependent Claims (19, 23)
- - 19. A computer programmed to perform the method of claim 4.
  - 23. A recordable medium bearing a computer program operable to perform the method of claim 4.

25. A method of enabling multi-domain authorisation/authentication on a computer network comprises:
- providing storage and a location address independent from a user for the user'"'"'s authorisation and/or authentication information provided from different issuing authorities, at which address said information has been pre-stored, the location address being given by a user when a request to access a service on a computer network is made for which service authorisation is required, in which the service obtains authentication or authorisation information for validating said user from said location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Edwards, Nigel John, Rouault, Jason
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
AVERY, JEREMIAH L

Application Number

US10/202,816
Publication Number

US 20030023880A1
Time in Patent Office

2,287 Days
Field of Search

None
US Class Current

726/1
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

H04L 63/102 Entity profiles

Multi-domain authorization and authentication

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-domain authorization and authentication

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links